[pull] master from cert-manager:master #1066

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: harshitasao <harshitasao@gmail.com>

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Fix GHSA-xr7q-jx4m-x55m

Signed-off-by: harshitasao <harshitasao@gmail.com>

Reduce memory usage by only caching the metadata of Secret resources

BUGFIX: AWS route53: Set global region for sts

This allows configuration of the http01 solver PodSecurityContext as part of the Issuer specification. Signed-off-by: Adrian Lai <aidy@loathe.me.uk>

Signed-off-by: Adrian Lai <aidy@loathe.me.uk>

Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>

These were copy-pasted in from the parent definitions. We don't marshal to protobuf (none of the other structs have equivalent annotations), so remove them as they are unnecessary. Signed-off-by: Adrian Lai <adrian.lai@jetstack.io>

Signed-off-by: Bartosz Slawianowski <bartosz.slawianowski@natzka.com>

Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>

Signed-off-by: Bartosz Slawianowski <bartosz.slawianowski@natzka.com>

Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Run 'make upgrade-klone' and 'make generate'

Signed-off-by: Miguel Varela Ramos <miguel@cohere.ai>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

[CI] Self-upgrade merging self-upgrade-master into master

fix: HTTP01 challenge HTTPRoute creation for GatewayAPI

fix: Handle case of Azure returning auth error

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Fix incorrect indentation of the PodMonitor template in the Helm chart

Signed-off-by: Richard Wall <richard.wall@venafi.com>

[VC-34401] Add a metrics server to the webhook

Signed-off-by: Richard Wall <richard.wall@venafi.com>

…hook deployment Signed-off-by: Richard Wall <richard.wall@venafi.com>

[VC-34401] Add a metrics server to the cainjector

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Update the Google CloudBuild job image

Signed-off-by: Brian Dols <brian.dols@inky.com>

Co-authored-by: Richard Wall <wallrj@users.noreply.github.com> Signed-off-by: Peter Fiddes <hawksight@users.noreply.github.com>

Signed-off-by: Peter Fiddes <peter.fiddes@gmail.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Peter Fiddes <peter.fiddes@gmail.com>

Allow config of http01 solver pod security context

Signed-off-by: Adam Talbot <adam.talbot@venafi.com>

…late feat: allow pod template to be specified when using gateway-api

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Adam Talbot <adam.talbot@venafi.com>

fix: update shasum for docker.io/ubuntu/bind9

When creating the cert-manager serviceaccount we should include the RBAC permissions to create serviceaccount tokens, which are required when using the incuded serviceaccount for authenticating against AWS IRSA when configuring Route53. This aligns with the documentation on Route53, where these permissions are only to be created manually when using a different serviceaccount. Other usecases may apply as well. Fixes #7212 Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>

Signed-off-by: Brian Dols <brian.dols@inky.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

…n registering schemes Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Brian Dols <brian.dols@inky.com>

… seperate checking the label/annot. values vs checking the label/annot. keys Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Adam Korczynski <adam@adalogics.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

…alculation Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

BUGFIX: fix incorrect tls server renewal time check and add unit tests

Signed-off-by: Brian Dols <brian.dols@inky.com>

error out ACME Challenges when encountering non-ACME errors

Fix errcheck linter by adding error checks everywhere

Co-authored-by: Ashley Davis <SgtCoDFish@users.noreply.github.com> Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com> aaaaaaaaaa

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Run 'make upgrade-klone' and 'make generate'

Improve ordering consistency of policy chain results (issuance, ready ...)

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Add RBAC for the serviceaccount to create tokens

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Fix staticcheck linter: use types.NamespacedName in workqueue

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

…sure the metric with the provided metricName is found. We were depending on it not erroring. This PR removes that assumption and instead makes sure the metric does no longer existi using the CollectAndCount function. Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Upgrade all go dependencies

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

[CI] Self-upgrade merging self-upgrade-master into master

Add unit tests for tls authority logic

…ppears in a certificate, at least one of the bits MUST be set to 1.', we must thus ommit the KeyUsages extension when it does not have any KeyUsages set Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Adam Korczynski <adam@adalogics.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Adam Korczynski <adam@adalogics.com>

…res by removing the Amazon Request ID from STS errors Signed-off-by: Richard Wall <richard.wall@venafi.com>

Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors

add fuzz test for cert requests with vault issuer

BUGFIX: adhere to RFC 5280 - Section 4.2.1.3 and don't include empty KeyUsages extensions

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Yuedong Wu <dwcn22@outlook.com>

also removes some trailing whitespace Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

fix SHA for bind image which changed upstream

Helm: Remove empty apiGroup from 'subjects.ServiceAccount' refs

Signed-off-by: Adam Korczynski <adam@adalogics.com>

changed the scorecard badge link to the standard format

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

add fuzzer for venafi cr controller

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Add further text explaining why we use an old license year

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Clarify how to use the Kind section of the PR template

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

feat: Use OAuth endpoint for Venafi Issuer when user/pass provided

K8s expects finalizers to be of the form: FQDN/finalizer-name As such, the initial finalizer name (finalizer.acme.cert-manager.io) used by cert-manager is noncompliant. These changes add initial support for a proper domain qualified name (acme.cert-manager.io/finalizer). Support for using that new name will be added later. Feature plan: 1. Add support for tolerating the domain-qualified-finalizer 2. Add flag enabled support for setting the domain-qualified-finalizer 3. Release a version with current finalizer on by default 4. Change default behavior to use the domain-qualified-finalizer and allowing flag to use legacy behavior 5. Release a version with domain-qualified-finalizer on by default 6. Remove support for the legacy finalizer and the flag 7. Release a version with only domain-qualified-finalizer Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

Ideally this allows users to use acme.cert-manager.io/finalizer Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

…to-venafi-certs 6898: Add validity duration to Venafi certificates

Support a domain qualified finalizer instead of one that triggers a warning from kubernetes

Add design for pushing charts to OCI registry

…r exist at the moment of deletion Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Remove issuer argument from CleanUp function

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Remove webhook validation for Route53 region Signed-off-by: Richard Wall <richard.wall@venafi.com>

Enable and fix usestdlibvars, misspell and staticcheck linters

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Signed-off-by: Nathan Baulch <nathan.baulch@gmail.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Fix typos

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Remove old API versions

Optional AWS Route53 region

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Add managed-by label to webhook CA

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Prevent aggressive Route53 retries caused by IRSA authentication failures by removing the Amazon Request ID from errors wrapped by the default credential cache

Allows you to see which API endpoints are being used and which region is being used in the request signature. To help debug AWS Route53 problems in the field. Signed-off-by: Richard Wall <richard.wall@venafi.com>

Log AWS SDK warnings and API requests at cert-manager debug level

Including IMDS and STS requests. Signed-off-by: Richard Wall <richard.wall@venafi.com>

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Append cert-manager user-agent string to all AWS API requests

Upgraded Go dependencies using https://github.com/oligot/go-mod-upgrade go-mod-upgrade make go-tidy make generate Signed-off-by: Richard Wall <richard.wall@venafi.com>

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Use context logger for Route53 operations

go-mod-upgrade

Signed-off-by: Richard Wall <richard.wall@venafi.com>

…lists Reduce load on the Kubernetes API server and reduce the peak memory use of the cert-manager components by enabling the use of the WatchList (Streaming Lists) feature

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

[CI] Merge self-upgrade-master into master

Add support for Kubernetes 1.31 in kind v0.24

Signed-off-by: Richard Wall <richard.wall@venafi.com>

…or WebIdentityToken are supplied in the Issuer Signed-off-by: Richard Wall <richard.wall@venafi.com>

Route53 DNS01 Solver: Always fall back on the ambient region

By reducing the make parallelism. Signed-off-by: Richard Wall <richard.wall@venafi.com>

N1_HIGHCPU_32 is no longer listed in the table of supported GCB machine types, but there is the following foot note in the documentation: > Cloud Build continues to offer n1-highcpu-8 and n1-highcpu-32 machine types. They are offered at the same price as e2-highcpu-8 and e2-highcpu-32 https://cloud.google.com/build/pricing Signed-off-by: Richard Wall <richard.wall@venafi.com>

Fix makestage OOM failures

…memory use of the cert-manager components by enabling the use of the WatchList (Streaming Lists) feature" Signed-off-by: Richard Wall <richard.wall@venafi.com>

…t-streaming-lists Revert "Reduce load on the Kubernetes API server and reduce the peak memory use of the cert-manager components by enabling the use of the WatchList (Streaming Lists) feature"

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Allow extra environment variables to be added to cainjector, webhook and startupapicheck

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Richard Wall <richard.wall@venafi.com>

make update-base-images

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

BUGFIX: use correct resource namespace for Cluster Issuers

…both string and integer values Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

BUGFIX: Update schema validation to accept both string and integer values

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Self-upgrade merging self-upgrade-master into master

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

Signed-off-by: jordanp <jordan@rezel.net>

Helm chart: fix documentation for service accounts annotations

Helm: add enabled to json schema

This commit adds the `enableGatewayAPI` parameter to the chart config example. It also updates the feature gate list with their default values. Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>

Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>

Chart docs: Add enableGatewayAPI feature gates

Use new go 1.23 iterators

Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com>

…eated when a certificate is deleted Signed-off-by: Adam Talbot <adamtalbot93@googlemail.com>

…te-requests-while-being-deleted fix: don't create certificaterequests while being deleted

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

[CI] Self-upgrade merging self-upgrade-master into master

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

add IPv6 example for recursive DNS arg

See also #7357 A US DoD document [1] states that: > Effective immediately, all Public Key enabled commercial-off-the-shelf > software and Public Key enabled Open-Source software integrations [...] > must support at least RSA-3072 (4096 is preferred) and SHA-384. cert-manager already supports large RSA keys - that's no problem. But we always use SHA256 with all RSA keys currently; this commit changes that so we use SHA512 for RSA keys 4096 bits and above, or else SHA384 for RSA keys 3072 bits and above, or else SHA256. We discussed in standups / in the issue how to roll this out, and the consensus so far has been to roll this out unilaterally. Albeit we don't have data to support our assumption, we believe there won't be any huge compatibility problems from using this approach. One potential issue is that SHA512 can take (much) longer on some low powered 32-bit platforms (think older Raspberry Pis). We decided that the risk of slowdown there isn't worth delaying the rollout of this. Plus, people using those devices always have the option of using RSA-2048 or else ECDSA / Ed25519. [1]: https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/unclass-memo_dodcryptoalgorithms.pdf Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Use different hash algorithms for larger RSA keys

Remove unused test functions

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Cleanup key gen / RSA key sizes

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

Signed-off-by: Jochen Richter <jochenrichter84@gmail.com>

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

add tenantID option to azureDNS managedIdentity

Resources with applyset labels will be pruned, which is problematic. Instead of a generic annotation to control label propagation, the applyset labels are always excluded. This should be a good middleground whilst an API for doing this in a more generic way is discussed. The label should not ever be propagated, and so is a safe default. Fixes: #7306 Signed-off-by: Thomas Way <thomas@6f.io>

Do not propagate applyset labels

Includes a lot of comments explaining how the maxima were calculated. This is _very_ conservative, and assumes we're dealing with RSA keys twice the size of what we actually allow as a maximum. From running the included benchmark it seems the pathological runtime is about 13617196ns (13ms) on an M2 Max which seems acceptable. Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Signed-off-by: Ashley Davis <ashley.davis@venafi.com>

Restrict max size of PEM inputs

Signed-off-by: cert-manager-bot <cert-manager-bot@users.noreply.github.com>

[CI] Merge self-upgrade-master into master

[pull] master from cert-manager:master #1066

Are you sure you want to change the base?

[pull] master from cert-manager:master #1066

Commits on Jul 4, 2024

Commits on Jul 10, 2024

Commits on Jul 12, 2024

Commits on Jul 15, 2024

Commits on Jul 16, 2024

Commits on Jul 17, 2024

Commits on Jul 18, 2024

Commits on Jul 19, 2024

Commits on Jul 23, 2024

Commits on Jul 24, 2024

Commits on Jul 26, 2024

Commits on Jul 30, 2024

Commits on Jul 31, 2024

Commits on Aug 5, 2024

Commits on Aug 6, 2024

Commits on Aug 7, 2024

Commits on Aug 8, 2024

Commits on Aug 11, 2024

Commits on Aug 12, 2024

Commits on Aug 13, 2024

Commits on Aug 14, 2024

Commits on Aug 15, 2024

Commits on Aug 16, 2024

Commits on Aug 17, 2024

Commits on Aug 20, 2024

Commits on Aug 21, 2024

Commits on Aug 23, 2024

Commits on Aug 26, 2024

Commits on Aug 29, 2024

Commits on Aug 30, 2024

Commits on Sep 5, 2024

Commits on Sep 6, 2024

Commits on Sep 9, 2024

Commits on Sep 10, 2024

Commits on Sep 11, 2024

Commits on Sep 12, 2024

Commits on Sep 17, 2024

Commits on Sep 18, 2024

Commits on Sep 19, 2024

Commits on Sep 20, 2024

Commits on Sep 21, 2024

Commits on Sep 22, 2024

Commits on Sep 24, 2024

Commits on Sep 25, 2024

Commits on Sep 26, 2024

Commits on Oct 1, 2024

Commits on Oct 2, 2024

Commits on Oct 5, 2024

Commits on Oct 7, 2024

Commits on Oct 8, 2024

Commits on Oct 9, 2024

Commits on Oct 10, 2024

Commits on Oct 11, 2024

Commits on Oct 14, 2024

Commits on Oct 15, 2024

Commits on Oct 16, 2024

Commits on Oct 21, 2024

Commits on Oct 25, 2024

Commits on Nov 1, 2024

Commits on Nov 5, 2024

Commits on Nov 6, 2024

Commits on Nov 8, 2024